In Outlook server doesn't support the encryption method specified error

[IRZQ88]

Yesterday when i setup a new VPS server, after migrating and changing nameserver, my client cannot send nor receive emails from my VPS server through Outlook. Doesn't matter which Outlook version, but if it using Windows 7 OS PC, i'll get an error 0x800CCC1A that saying my server doesn't support the encryption method specified. But if it using Windows 10, it can receive and sent emails normally.

I even had copy my Exim configuration from the old VPS using transfer tools, but the result is the same. Then i'm trying to update the "SSL/TLS Cipher Suite List" and "Options for OpenSSL" as this posting mentioned, but the result still the same, nothing change, my clients with Windows 7 OS still couldn't send nor receive email with the same errors.

FYI, I've attached my settings screenshot below and I'm using cPanel version 72.0.7.

So finally I've decided to change my nameserver to my old VPS, and it works normally for Windows 7 or Windows 10. This is very weird!

Anybody could help please? Thank you.

 

[mtindor]

Just to get you going -- I would expect you to make a determination whether or not to use these settings long term.

Dovecot:

SSL Cipher List:  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

SSL Protocols:  !SSLv2 !SSLv3

Exim [Home --> Service Configuration --> Exim Configuration Manager --> Security]

Options for OpenSSL:

+no_sslv2 +no_sslv3

SSL/TLS Cipher Suite List:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

/scripts/restartsrv_dovecot
/scripts/restartsrv_exim

NOTE: Make sure you make note of your current configuration. If the above info doesn't work for you, revert back. If you use this information and then suddenly something doesn't start back up, I can't help you. It's easy to revert back if you have kept a record of the previous settings.

Mike

 

[IRZQ88]

Just to get you going -- I would expect you to make a determination whether or not to use these settings long term.

Dovecot:

SSL Cipher List:  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

SSL Protocols:  !SSLv2 !SSLv3

Exim [Home --> Service Configuration --> Exim Configuration Manager --> Security]

Options for OpenSSL:

+no_sslv2 +no_sslv3

SSL/TLS Cipher Suite List:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

/scripts/restartsrv_dovecot
/scripts/restartsrv_exim

NOTE: Make sure you make note of your current configuration. If the above info doesn't work for you, revert back. If you use this information and then suddenly something doesn't start back up, I can't help you. It's easy to revert back if you have kept a record of the previous settings.

Mike

Thanks for the fast response Mike! But sorry, i don't understand what do you mean by this one?:

Dovecot:

SSL Cipher List:  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

SSL Protocols:  !SSLv2 !SSLv3

 

[mtindor]

Dovecot is the IMAP/POP3 server, and you need to make sure that it's SSL/TLS settings work with Outlook as well.

WHM --> Service Configuration --> Mailserver Configuration

In there you'll see the SSL Cipher List and SSL Protocols sections if you are running Dovecot.

If you are just making changes to Exim, that only handles any issues you may have been having _sending_ mail with Outlook. If you have issues _receiving_ mail with Outlook, that's all Dovecot.

Mike

 

[IRZQ88]

Dovecot is the IMAP/POP3 server, and you need to make sure that it's SSL/TLS settings work with Outlook as well.

WHM --> Service Configuration --> Mailserver Configuration

In there you'll see the SSL Cipher List and SSL Protocols sections if you are running Dovecot.

If you are just making changes to Exim, that only handles any issues you may have been having _sending_ mail with Outlook. If you have issues _receiving_ mail with Outlook, that's all Dovecot.

Mike

I see.. Thanks Mike for this great explanation! I'll update the result here soon!

 

[mtindor]

You should also read the following thread [to make sure your Windows 7 is as up to date as it can be with regard to supporting various SSL/TLS options, etc. After all, the only ones with problems sending/receiving emails with the cPanel-preferred SSL/TLS settings for services are those running outdated operating systems, operating systems that haven't been updated, or email clients that haven't been updated. If you can fix the email client / client computer, you don't have to lower security on the server side.

Outlook 2016 Sending Email Fails After Cipher Suite Update

Mike

 

[IRZQ88]

You should also read the following thread [to make sure your Windows 7 is as up to date as it can be with regard to supporting various SSL/TLS options, etc. After all, the only ones with problems sending/receiving emails with the cPanel-preferred SSL/TLS settings for services are those running outdated operating systems, operating systems that haven't been updated, or email clients that haven't been updated. If you can fix the email client / client computer, you don't have to lower security on the server side.

Outlook 2016 Sending Email Fails After Cipher Suite Update

Mike

Okay, Once again thanks for your help!

 

[cPanelLauren]

Hello @IRZQ88

I also want to point out that rather than allow SSLv2 or SSLv3 you should first have your client add the Microsoft patch for TLSv1.2 https://support.microsoft.com/en-us...-and-tls-1-2-as-a-default-secure-protocols-in

Win 7 did not come with support for this originally and usually installing the patch they provide will allow the connection to be successful while still maintaining a secure environment.

Thanks!

 

[IRZQ88]

Just to get you going -- I would expect you to make a determination whether or not to use these settings long term.

Dovecot:

SSL Cipher List:  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

SSL Protocols:  !SSLv2 !SSLv3

Exim [Home --> Service Configuration --> Exim Configuration Manager --> Security]

Options for OpenSSL:

+no_sslv2 +no_sslv3

SSL/TLS Cipher Suite List:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

/scripts/restartsrv_dovecot
/scripts/restartsrv_exim

NOTE: Make sure you make note of your current configuration. If the above info doesn't work for you, revert back. If you use this information and then suddenly something doesn't start back up, I can't help you. It's easy to revert back if you have kept a record of the previous settings.

Mike

Thanks a lot Mike! This actually works!!! I don't believe this!!! :D

Hello @IRZQ88

I also want to point out that rather than allow SSLv2 or SSLv3 you should first have your client add the Microsoft patch for TLSv1.2 https://support.microsoft.com/en-us...-and-tls-1-2-as-a-default-secure-protocols-in

Win 7 did not come with support for this originally and usually installing the patch they provide will allow the connection to be successful while still maintaining a secure environment.

Thanks!

I see, Okay I'll check it up asap! Thank you Lauren!

 

[cPanelLauren]

Great! Please let us know how it works out and if you have any further issues.


Thanks!

 

[Jorge Tobon]

Great! Please let us know how it works out and if you have any further issues.


Thanks!

Hi Lauren.

I have same problem, and I applied the fix and now users can receive email but they can't send.

Do you know what could it be?

Thanks in advance for your help.

 

[cPanelLauren]

Hi @Jorge Tobon

Is there an error or notification when the user attempts to send mail?